Protecting Your Site from Malware

Malware attacks targeting ecommerce sites are on the rise. Malicious actors are continually developing new ways to harvest lucrative credit card and personal information from transactions. It has never been more critical for merchants to follow security best practices.

In most malware cases we’ve analyzed, attackers are not developing new ways to penetrate Magento sites. Instead, they are taking advantage of existing, unpatched vulnerabilities, poor passwords, and weak ownership and permission settings in the file system – all things you can control!

To ensure the highest level of security, here are actions you can take to protect your business:

Set up strong passwords and change them at least every 90 days, as recommended by the PCI Data Security Standard in section 8.2.4. You can check your password lifetime setting in the following locations:

Scan your store monthly on MageReport.com to detect malware and to identify any security patches you may not have deployed. MageReport.com is a highly-regarded service that is available at no charge.

Each month, review all of your Admin user accounts and remove any that you do not recognize, or are no longer valid or active.

Verify that the system file permissions are set according to Magento 1 and Magento 2 file permission guidance. Misconfigured permissions may allow attackers to modify Magento code files and inject vulnerabilities into your environment.

Check your system for unauthorized programs. For example, check for processes that perform key logging functions and unnecessary processes that are not required for Magento system operation.

If you discover that your site has been attacked, immediately reach out to your Solution Partner, developer, or a security firm to clean your site of all malicious code, install any missing patches and update all Admin passwords. If you think that you have found a specific vulnerability in Magento and can provide more technical details, please report it to security@magento.com.

Protecting your site from malware requires building the “security muscle” in your organization. Take the time to develop a plan and train your team so that security becomes a natural part of your daily business processes.